build-langchain-ts-app

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests public third-party content — e.g., the "web_search" tool ("Search the web for current information") in the Production Pattern, the search_code/search_notion/search_slack tools in the Multi-Knowledge-Base Routing, the load_skill tool that returns skill.content, and the resolveDbPath example that fetches Chinook.db from a public URL — and the agent is shown reading and acting on those results (RAG, routing, SQL generation), which clearly enables indirect prompt injection from untrusted/user-generated sources.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's resolveDbPath() fetches https://storage.googleapis.com/benchmarks-artifacts/chinook/Chinook.db at runtime and the resulting database/schema is injected into the agent's system prompt (getSystemPrompt → getSchema), so external content from that URL directly controls prompts used by the agent.